Data in the News
Updated: May 14, 2021
If you think deleting your account deletes all your personally identifiable information (PII) from instant messaging apps, then you may need to think again, and this is probably true for all services that encourage social interaction between friends and request permission to access the contacts on a user’s device to facilitate this.
If, like me, you have never used Houseparty, you could be forgiven for assuming that the service does not hold any personal information on you; again, you may need to rethink this.
Your personal data, such as phone number and name, and maybe even email and physical address, may have been uploaded to servers of social media and instant messaging companies when they are granted permission to synchronize contact lists from your friends’ devices.
The Brexit transition period ends on 31 December, which means that from then the UK will no longer be treated as part of the EU for data protection purposes. Here we look at the key data protection compliance implications for schools. Will the UK Get an "adequacy finding" and why does It matter?
The GDPR provides that personal data can only usually leave the EEA if:
the destination country has been giving a finding of adequacy by the EU Commission
·n the absence of an adequacy finding, the transfer is subject to one of the safeguards in the GDPR
in the absence of an adequacy finding and a safeguard, the transfer falls under one of the limited exceptions (referred to as derogations) in the GDPR
From a UK perspective, an adequacy finding would be plainly beneficial as without this, UK organisations (including schools) will need to check that there is a safeguard or exemption in place for all transfers of personal data from the EEA to the UK.
Whilst the UK has applied for an adequacy finding and negotiations are ongoing, there is no guarantee that the UK's application will be successful. On the one hand, it may seem surprising if the UK was not granted adequacy, particularly as UK and EU data protection laws will remain aligned (at least in the short term) through the UK's adoption of the GDPR. Whilst this is the case, there are some concerns at EU level about the UK's wider data privacy practices, for example, in relation to national security and surveillance.
The General Data Protection Regulation (GDPR) continues causing hefty fines and penalties for businesses and organisations across European countries even two years after coming into force.
According to data presented by BuyShares, the United Kingdom tops the list of the most expensive data breach penalties with €132.7 million in the total value of GDPR fines, more than German and Italy combined.
The primary reason for such a high cumulative value of GDPR fines in the United Kingdom is the data breach penalty imposed by the UK’s data protection authority, ICO, to Marriott International. In November 2018, the American multinational company was fined with €110.4 million after reporting a cyber incident that exposed nearly 340 million guest records.
Last week, the ICO fined British Airways €22 million for failing to protect the personal and financial details of more than 400,000 of its customers, the second largest GDPR fine in the United Kingdom. The penalty is considerably smaller than the €204.6 million that the ICO initially said it intended to issue back in 2019 after the Magecart group used card skimming to collect the personal and payment information of British Airways’ customers.
The United Kingdom is at a crossroads. On the verge of Brexit, it has to decide where it stands in relation to privacy: will it loosen data protection regulation, moving more towards China’s model, or will it guarantee its citizens’ right to privacy, moving more towards a Californian approach and securing a data adequacy agreement with the EU? It would be a mistake to choose the former.
Last month, the UK published its national data strategy. Oliver Dowden, the digital secretary, wrote that under the UK’s strategy, “Data and data use are seen as opportunities to be embraced, rather than threats against which to be guarded.” No one doubts there are welcome opportunities in data, but to overly focus on the potential benefits of data and neglect the threats that the collection and use of personal data entail would be unwise.
Instagram is being investigated by Ireland's Data Protection Commissioner (DPC) over its handling of children's personal data on the platform.
The social media app's owner Facebook could face a large fine if Instagram is found to have broken privacy laws. It comes amid reports Instagram failed to protect data, including allowing email addresses and phone numbers of those under 18 to be made public. Facebook said it rejected the claims but was cooperating with the DPC.
Several US tech giants have their European headquarters in Ireland, and the DPC is the lead European Union regulator under the EU General Data Protection Regulation (GDPR), which came into force in 2018. The DPC is responsible for protecting individuals' right to online privacy and has the power to issue large fines.
And finally, …
2020 presented us with many surprises, but the world of data privacy somewhat bucked the trend. Many industry verticals suffered losses, uncertainty, and closures, but the protection of individuals and their information continued to truck on.
What can we expect in 2021? Undoubtedly, the number of data privacy cases brought before the courts will continue to rise. That’s not necessarily a bad thing: with each case comes additional clarity and precedent on many different areas of the regulation that, to date, is open to interpretation and conjecture.
One of the biggest events of 2021 will be the UK leaving the EU. The British implementation of the GDPR comes in the form of the UK Data Protection Bill 2018. Aside from a few deregulations, it’s the GDPR and that’s great… as far as it goes. Having strong local data privacy laws is good, but after enjoying 47 years (at the time of writing) of free movement within the Union, how will being outside of the EU impact British business?